January 2019 Code Aurora Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-12006, CVE-2018-12010, CVE-2018-12011, CVE-2018-13893

Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information.

Table of vulnerabilities

Public ID	Security Rating	Technology Area	Date Reported
CVE-2018-12006	Medium	Display	5/16/2018
CVE-2018-11962	High	Audio	Internal
CVE-2018-12010	Medium	Core Services	6/19/2018
CVE-2018-12011	Medium	Qualcomm IPC	6/27/2018
CVE-2018-12014	High	Data Network Stack & Connectivity	Internal
CVE-2018-13889	High	GPS AP-Linux	Internal
CVE-2018-13893	Medium	Core Services	7/24/2018

CVE-2018-12006

CVE ID	CVE-2018-12006
Title	Information Exposure in Display
Description	Users with no extra privileges can potentially access leaked data due to uninitialized padding present in display function.
Technology Area	Display
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	5/16/2018
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/la/platform/hardware/qcom/display/commit/?id=3aad4a11e276fb7101185d0b152e208a32829d31 https://source.codeaurora.org/quic/la/platform/hardware/qcom/display/commit/?id=2a39b827b1509777da7025e0b78a82d573fad931

CVE-2018-11962

CVE ID	CVE-2018-11962
Title	Use After Free in Audio
Description	Heap-use-after-free issue while loading audio effects config in audio effects factory.
Technology Area	Audio
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/la/platform/frameworks/av/commit?id=217604d69ce4dcf7c6433a9eafdfceefe25e8fd3

CVE-2018-12010

CVE ID	CVE-2018-12010
Title	Stack-based Overflow in Core
Description	Absence of length sanity check may lead to possible stack overflow resulting in memory corruption in trustzone region.
Technology Area	Core Services
Vulnerability Type	CWE-121 Stack-based Buffer Overflow
Access Vector	Local
Security Rating	Medium
Date Reported	6/19/2018
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=75c86dab36b2685ca74aaa1f71ed2892c6cf2e08

CVE-2018-12011

CVE ID	CVE-2018-12011
Title	Information Exposure in Core
Description	Uninitialized data for socket address leads to information exposure.
Technology Area	Qualcomm IPC
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	6/27/2018
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b7190cd8cb4f73cd243596045080f2da99d8f8d4

CVE-2018-12014

CVE ID	CVE-2018-12014
Title	Use After Free in HLOS Data
Description	A dangling pointer can be dereferenced in HLOS Data.
Technology Area	Data Network Stack & Connectivity
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=545e03e8420164506457367959ccf01bd055e1aa

CVE-2018-13889

CVE ID	CVE-2018-13889
Title	Use After Free in GPS
Description	Heap memory was accessed after it was freed.
Technology Area	GPS AP-Linux
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/le/platform/hardware/qcom/gps/commit/?id=03885c6896a88d993dd49c64ada02bec52af08a1

CVE-2018-13893

CVE ID	CVE-2018-13893
Title	Untrusted Pointer Dereference in DIAG Services
Description	Out of bound mask range access caused by using possible old value of msg mask table count while copying masks to userspace.
Technology Area	Core Services
Vulnerability Type	CWE-822 Untrusted Pointer Dereference
Access Vector	Local
Security Rating	Medium
Date Reported	7/24/2018
Customer Notified Date	10/1/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=3977c31dd3fc711d8a7880ba954185a7306d2c25 https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7a22262828748d8e0c00661b10bec54d7d11fac4

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

• Consideration of security protections such as SELinux not enforced on some platforms

• Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version	Date	Comments
1.0	January 7, 2019	Bulletin Published